Thursday, July 23, 2009

An open letter regarding opt out cookie expirations

I write to you today to draw your attention to several problems related to the process through which consumers can opt out of behavioral advertising performed by Network Advertising Initiative (NAI) member companies.

In particular, I would like to draw your attention to the widely varying expiration dates for the behavioral advertising opt out cookies supplied by the various NAI member advertisers. The opt out cookies for some sites last as little as six months, while others last as long as sixty years. This variability is not communicated to consumers, and as a result, many are unlikely to know that they must revisit the NAI web site and re-opt out every six months in order to maintain total opt out coverage.

I urge you to update the NAI Self-Regulatory Code of Conduct to require that your members adhere to a reasonable minimum expiration age for opt out cookies (I suggest at least five years). I also ask that you add text to the NAI opt out page to inform consumers of the shortest opt out cookie expiration, and make it clear that they will need to re-visit the site at that time in order to renew the opt out cookies.

The Issue in Depth

The Network Advertising Initiative provides a single-stop web site through which consumers can opt out of the behavioral advertising performed by its 34 member companies.

The text on this site advises consumers that:

To opt out of an NAI member's behavioral advertising program, simply check the box that corresponds to the company from which you wish to opt out. Alternatively, you can check the box labeled "Select All" and each member's opt-out box will be checked for you. Next click the "Submit" button. The Tool will automatically replace the specified advertising cookie(s) and verify your opt-out status.

While the site makes it relatively easy for consumers to opt out, no mention is made of the fact that many of the opt out cookies have been intentionally set to expire after a few short months, and thus the consumer will need to return to the NAI web site and repeat the process with some regularity in order to maintain total opt out coverage.

I am concerned that the NAI and its member companies have done nothing to inform consumers of this important issue. As a result, many consumers may falsely believe that a single visit to the NAI web site is sufficient.

There has already been quite a bit of attention paid to the ease with which opt out cookies can be accidentally erased by users (for example, whenever they clear out their browser cookies). The NAI itself even recognizes that problem, advising visitors to its frequently asked questions page that:

Will I ever need to renew my opt-out or opt out again?

If you ever delete the "opt-out cookie" from your browser, buy a new computer, or change Web browsers, you'll need to perform the opt-out task again. It's only when the network advertiser can read an "opt-out" cookie on your browser that it can know you have decided not to participate.

Those few users who explore the NAI site long enough to read through the frequently asked questions are quite likely to be deceived by the text of this statement – which implies that opt out cookies will stay put, except in the event that the user clears out her cookies, purchases a new computer, or switches to a new web browser.

(click for a larger picture)

Opt out cookie expiration dates vary, but are often far too short

When the NAI member firms implement their opt out process, their engineers set the length of the cookie expiration. While web cookies must have an expiration date (as per the technical standard), some NAI members have erred on the side of user privacy, and set their cookies to expire after 60 years or more. Unfortunately, many other NAI members have chosen to set their opt out cookies to expire after far shorter periods of time, some as short as six months.

There is simply no legitimate reason to set such a short expiration date.

With regard to opt out cookie expiration age, BlueKai, Media6Degrees and Specific Media are the worst of all NAI members. These firms have set their cookies to expire after 6 months. AOL’s Advertising.com is a close second at just 8 months.

Most NAI members do not inform consumers of the opt out expiration

Of the 14 NAI members whose opt out cookies are set to expire in 24 months or less, BlueKai is the only firm to mention this fact in its privacy policy.

On the 6th paragraph of BlueKai’s privacy policy, the company notes that “As of May 1, 2009. BlueKai cookies will expire after six months from the date they are created.” However, this text is in the section of the privacy policy describing the company’s use of tracking cookies, which is 5 paragraphs above the section on opt outs. As a result, the few consumers who do read BlueKai’s policy are quite likely to wrongly believe that this statement only applies to the tracking cookies, and not the opt out cookie too.

The other 13 NAI members with opt out cookies that expire after a period of 24 months or less make no mention at all on their own web sites or privacy policies of this important bit of information.

My recommendations

Most consumers are unlikely to be aware of the short expiration dates of many NAI member opt out cookies. I urge you to take comprehensive steps to increase the length of the opt out cookies, and to better inform consumers of the fact that even under ideal circumstances, they will still need to re-visit the NAI web site a couple times per year in order to opt out again.

In order to provide consumers with a better opt out process, I urge you to do the following:

1. Update the NAI Self-Regulatory Code of Conduct to require that member companies adhere to a reasonable minimum expiration age for opt out cookies – at least five years.

2. Update the NAI Self-Regulatory Code of Conduct to require that member companies disclose the opt out expiration time in the privacy policy contained on their own web sites.

3. Add text to the NAI Opt Out Page to inform consumers of the expiration date of all the NAI members, so that they know when they must return in order to maintain complete opt out protection.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.